[squid-users] Squid Websocket Issue

Eliezer Croitoru eliezer at ngtech.co.il
Mon Jan 2 13:47:20 UTC 2017 

Can we start from 0.
Currently when squid knows about the Connection being a one with websocket support it is already too late to do anything about this specific connection.
The only option for now is to identify these using some ICAP service that will for example redirect the request after a small delay that will add the destination domain ip address to a bypass list.
It’s not trivial but I have seen such implementation on ssl bump.

Can you please redirect me to the specific email with the bug details?

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Hardik Dangar
Sent: Monday, January 2, 2017 8:47 AM
To: Alex Rousskov <rousskov at measurement-factory.com>
Cc: Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Squid Websocket Issue

@amos or anyone else from dev team

Can you confirm this is intentional behavior or bug ?

On Mon, Jan 2, 2017 at 9:18 AM, Alex Rousskov <mailto:rousskov at measurement-factory.com> wrote:
On 12/27/2016 04:50 AM, Hardik Dangar wrote:

> If i remove !serverIsws somehow websockets will not work.

Then there is a bug somewhere AFAICT. It is your call whether to find
out what that bug is [while continuing to use a potentially dangerous
workaround].

Alex.


> On Tue, Dec 20, 2016 at 10:27 PM, Alex Rousskov wrote:
>
>     On 12/20/2016 02:42 AM, Hardik Dangar wrote:
>     > Following changes in config works and whatsapp starts working,
>     >
>     > acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
>     >
>     > acl step1 at_step SslBump1
>     > ssl_bump peek step1
>     > ssl_bump splice serverIsws
>     > ssl_bump bump !serverIsws all
>
>     You do not need the "!serverIsws" part because if serverIsws matches,
>     then the splice rule wins, and Squid does not reach the bump rule. This
>     configuration is sufficient:
>
>       ssl_bump peek step1
>       ssl_bump splice serverIsws
>       ssl_bump bump all
>
>     In theory, adding "!serverIsws" does not hurt. However, negating complex
>     ACLs is tricky/dangerous and should be avoided when possible.
>
>     Alex.
>
>

More information about the squid-users mailing list